Recently, we ran into a challenge where we got an HPE ProLiant server with iLO installed, but the tag with the default password was not around. We realized it might be useful to some folks for us to make a quick guide on how to reset the password assuming you have physical access to the machine.
How to Reset a HPE iLO Administrator Password From the OS Using ipmitool
Here was the situation we found ourselves in. We tried Administrator, admin, and ADMIN logins and nothing we could find on the server worked with the iLO login. After a short amount of time, it will add a login delay to prevent brute force logins.
Step 0: Getting Root Shell Access in Linux with ipmitool
The prerequisite step is Getting Access to a root shell in Linux. If you already have an OS running and have a user with administrator privileges, then this is very easy. If you do not, and you have physical access, you can just boot a Ubuntu Desktop Live CD. Once there you can do a sudo apt update and then you will want to do a quick:
sudo apt install ipmitool
That will get us ipmitool that we need. If you have RHEL or another distribution, ipmitool is widely used so you can just pull that from a repository in a similar way. We are just going to show the Ubuntu / Debian / Proxmox VE version since it works with the widely used Ubuntu LiveCD.
Step 1: Finding the Admin User
To find the user’s ID that we want to change, we use the command sudo ipmitool user list and then the channel. If you do not put a channel then you will usually get an “IPMI command failed: Parameter out of range” message. Usually, we use “1” but sometimes it is “0” or “2” depending on the server, especially if you broaden it out beyond just HPE ProLiant servers. This is just an example cycling through (we are elevating to root here since this is just a test Linux instance):
It is pretty clear as we cycle through 0, 1, and 2 that the users are on 1 so to get back here we use:
sudo ipmitool user list 1
That list shows us that we only have one user setup “Administrator” and that the user has Admin access. The other (Empty User) slots can be used with additional steps, and often that is the preferred way to set this up so you do not change the Administrator password on someone else. We can use sudo ipmitool user set name 3 STH to add STH in the third slot.
Here you can see the big difference between the ADMINISTRATOR access and USER access so going through adding a user also requires adding permissions.
Now that we have a user, the next step is to reset the iLO password.
Step 2: Setting the iLO Administrator Password
This is a super simple step, with a big “gotcha” in it. HPE, as well as many other vendors, enforce minimum password standards on their out-of-band management users. The command we want to use is sudo ipmitool user set password 2 <PASSWORD>. Breaking that down the 2 is for the Administrator user on the list above, then the <PASSWORD> is whatever you want the password to be, so long as it passes the validation requirements. Here is an example where the password “ADMIN” did not work but the password “ADMIN1234” worked properly:
At this point, you can log on to the web interface or a remote CLI using the Administrator account with ADMIN1234. We would suggest, of course, using a stronger password. Still, now that you have access, you can change whatever you need in the iLO, pop the Ubuntu LiveCD (often on a USB stick) and go back to it. If you were already using Proxmox VE or another OS that you just installed ipmitool to to make the change, you might want to uninstall ipmitool before logging out.
Step 3 (Optional): Set User Access
If you recall that STH user that we made, it has no password and no login access. This one is a bit tougher to get your head around, so here is what we are doing:
The first command sudo ipmitool user enable 3 enables user in the ID 3 slot, which is the STH user we made before. Then is the tough one: sudo ipmitool user priv 3 4 1 . Let us break that one down.
- priv – is our privilege command
- 3 – is our user ID, in this case the STH user has an ID of 3. Change this to whatever the user ID number is.
- 4 – is the privilege level. 4 is ADMINISTRATOR but we could have used 3 for OPERATOR as an example.
- 1 – is the channel. Since we found that we are using channel 1 on our management interface, we want to grant access on channel 1. Again, if you needed ipmitool user list 2 to show users, then that would be a 2.
Once we do that, we can log into the iLO 6 web management interface just as we would with the Administrator user.
A major benefit of this approach is that adding the additional user means we did not have to touch the Administrator account.
You will see our STH user is now listed alongside the Administrator account with a full set of access rights except being part of the recovery set. If you are accustomed to changing users in this web interface, then you are ready to go.
Final Words
There is another process if you need to reset the password and cannot hook up a monitor. That process can remove the iLO license key, and requires physical access as well, so we generally just make a USB key with a Ubuntu live CD and use ipmitool. This same process works with most server OEMs as IPMI is largely standardized at this point.
This is also why folks say if someone has physical access to a machine, then their access is virtually unlimited. This entire process when using a fast USB stick takes maybe 1-2 minutes do to and is mostly gated by how fast the live CD boots.
Still, it is a handy trick if you have a server and have no way to find a useful iLO password.
In a pinch I’d do this but I honestly don’t like the fact you can even do this from an OS without the password in the first place.
I’m guessing the liveCD with no monitor needs you to have a serial connection, which is disappearing from servers. I mean, if you have a monitor and physical access you might as well just reboot it and pop into the iLo Configuration Utility at boot to reset vs using a liveCD. Very few data centers or colo’s don’t have a crash cart. I suppose network closets don’t but then I’d just grab one off a desk nearby.
@Jason
There’s nothing stopping the live CD image from automatically resetting the IPMI at boot, no console is needed.
If you can boot from random CD/USB you have already failed at security. A BIOS password with default boot limited to local HDD/SSD will make a physical attack more engaging – the attacker will need to reset the BIOS which requires taking the server out from the rack, opening the chassis and manipulating inside.
Obviously if they can do that all bets are off, but it’s still stopping less sophisticated attackers.
It’s even easier in Windows, all you need to do is install the HPE iLO Configuration Utility, and possibly the management interface drivers.
Then you open the application, select Users, Administrator and enter a new password.
You can also easily check and change the IP Address from within the same application.